[ale] ipchains question
Stephen Lastinger
steve at computernetdesign.com
Wed Jul 12 19:43:36 EDT 2000
ok. This one's been bugging me for some time. Why does this not
work?
situation: I have a large network going though a firewall running
ip chains which is masquarading and routing trafic perfectly. I'd like
to block web traffic for a few individuals who do way too much surffing
durring the course of a business day.
I've tried blocking traffic on port 80 for those machines on the
input, forwarding, and output chains of the internal interface
(shouldn't the input chain on the internal interface be the only one
necessary?) and tried using -I instead of -A but have been unsuccessful
(although ipchains -L -n -v says that the rules are in force). No
entries are being created in /var/log/messages, and I'm still unhappily
surfing on my test wkstn.
Any help here would be greatly appreciated.
Here's an excerpt (minus comments and rules not pertinant to the
question for brevity) of some of the test rulesets I've set up. Eth0 is
the external interface, and eth1 is the internal one:
LOCALNET="192.168.100.0/24"
ETH0IP="(external static ip)"
/sbin/ipchains -F
/sbin/ipchains -P input DENY
/sbin/ipchains -P output DENY
/sbin/ipchains -P forward DENY
/usr/sbin/ipmasqadm portfw -f
/sbin/ipchains -M -S 7200 7200 7200
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Input section:
/sbin/ipchains -A input -i eth1 -s 192.168.100.254 80 -d 0.0.0.0/0 -p
tcp -l -j DENY
/sbin/ipchains -A input -i eth1 -s 192.168.100.254 80 -d 0.0.0.0/0 -p
udp -l -j DENY
/sbin/ipchains -A input -i eth1 -s ${LOCALNET} -d 0.0.0.0/0 -j ACCEPT
/sbin/ipchains -A input -i lo -j ACCEPT
/sbin/ipchains -A input -i eth0 -s ${LOCALNET} -d 0.0.0.0/0 -l -j DENY
# Forwarding section:
/sbin/ipchains -A forward -i eth1 -s 192.168.100.254 80 -d 0.0.0.0/0 -p
tcp -l -j DENY
/sbin/ipchains -A forward -i eth1 -s 192.168.100.254 80 -d 0.0.0.0/0 -p
udp -l -j DENY
/sbin/ipchains -A forward -s 192.168.100.0/24 -j MASQ
# Output section:
/sbin/ipchains -A output -i eth1 -s 192.168.100.254 80 -d 0.0.0.0/0 -p
tcp -l -j DENY
/sbin/ipchains -A putput -i eth1 -s 192.168.100.254 80 -d 0.0.0.0/0 -p
udp -l -j DENY
/sbin/ipchains -A output -i eth1 -s 0.0.0.0/0 -d ${LOCALNET} -j ACCEPT
-Steve
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list